Hacken’s 2025 Annual Security Report puts total Web3 losses at about $3.95 billion, up roughly $1.1 billion from 2024, with just over half of that attributed to North Korean threat actors.
A report shared with Cointelegraph shows losses peaked at more than $2 billion in the first quarter of the year before falling to around $350 million by the fourth quarter, but Hacken cautions that the pattern still points to systemic operational risk rather than isolated coding errors.
The report frames 2025 as a year in which the numbers worsened, but the underlying story became clear. Smart contract bugs are important, but the biggest and least recoverable losses still come from weak keys, compromised signers, and messy fallout.
Access control, not code, causes losses
According to Hacken, access control failures and broader operational security failures accounted for about $2.12 billion, or nearly 54% of all losses in 2025, compared to about $512 million from smart contract vulnerabilities.
The Bybit breach alone, with nearly $1.5 billion, is being described as the largest single theft to date and a key reason why clusters linked to North Korea account for approximately 52% of the total stolen funds.
Related: Crypto losses close to $3.4 billion as hackers go ‘hunting for the big game’
Regulators state controls, industry lags behind
Yehor Rudystia, head of forensics at Hacken Extractor, told Cointelegraph that regulators across the US, European Union and other major jurisdictions are increasingly specifying what “good” licensing regimes look like on paper, such as role-based access control, logging, secure onboarding and ID verification, institutional-level custodianship (hardware security models, multi-party or multi-sig computing, and cold storage), as well as continuous monitoring and anomaly detection.
However, “as regulatory requirements are just becoming mandatory principles, many Web3 companies continued to follow unsafe practices throughout 2025.”
He pointed to practices such as the irrevocability of developer access during off-boarding, the use of a single private key to manage the protocol, and the absence of an endpoint detection and response system.
“Among the most important are regular pen tests, incident simulations, custodial control reviews and independent financial audits and audits,” Rudystia said, adding that major exchanges and custodians should treat them as non-negotiables in 2026.
Related: Social Engineering Cost Crypto Billions in 2025: How to Protect Yourself
From soft guidelines to strict requirements
Hacken expects the bar to be raised further as supervisors shift from guidelines to strict requirements.
Yevheniia Broshevan, co-founder and CEO of Hacken, told Cointelegraph, “We see a significant opportunity for the industry to raise its security base, especially in adopting clear protocols for using dedicated signing hardware and implementing basic monitoring tools.”
He said he expects overall security to improve in 2026 with regulatory requirements and the “most secure standards” to be imposed to protect users’ funds.
With North Korea-linked clusters accounting for roughly half of all Hacken attribution losses, Rudystia said regulators and law enforcement should also treat the country’s playbooks as a particular monitoring concern.
He argued that authorities should mandate the sharing of real-time threat intelligence on North Korean indicators, require threat-specific risk assessments aimed at phishing-driven access attacks, and pair it with “graded penalties for non-compliance” and safe harbor protections for platforms that fully participate and maintain North Korea-specific defenses.
About the Author
